U.S.  General  Services  Administration  (GSA) 


PRESIDENTIAL  TRANSITION  “HOT  ISSUES”  INFORMATION  PAPER 


SUBJECT:  Identity  Protection  Services 

Contact:  Katherine  (Kathy)  Jocoy,  for  additional  information  and/or  questions. 

For  additional  information  see:  GSA  FAS  Professional  Services  Dashboard 

1.  BACKGROUND: 

In  August  2015,  GSA  FAS  awarded  a governmentwide  Blanket  Purchase  Agreements  (BPA) 
to  provide  agencies  with  identity  theft  protection  services  that  resulted  in  providing  three 
master  contracts  to  provide  the  federal  government  with  access  to  a full  range  of  identity 
protection  services  to  include  credit  monitoring  (including  website  services  and  call  center 
services),  credit  risk  assessments,  identity  monitoring,  identity  theft  insurance  and  identity 
restoration.  Establsihment  of  this  vehicle  provided  OPM  the  ability  to  secure  identity 
protection  services  needed  for  the  breach  occuring  in  2015  in  addition  to  providing  other 
agencies  who  have  potentially  been  affected  by  independent  events. 


a.  General  Background: 

• In  late  2014,  at  OMB  request,  GSA  partnered  with  an  interagency  working  group 
to  develop  a competitively  awarded  governmentwide  Blanket  Purchase 
Agreements  (BPA)  to  provide  agencies  with  holistic  data  breach  response  and 
identity  theft  protection  services 

• The  Department  of  the  Navy's  Naval  Sea  Systems  Command  (NAVSEA) 
simultaneously  competed  and  awarded  the  BPA’s  first  task  order  providing  for 
identity  monitoring  data  breach  response  and  protection  services  for  individuals 
impacted  by  the  secondary  OPM  breach 

• BPAs  was  awarded  to  contractors  with  two  tiers  of  experience. 

o Tier  1 - Contractors  with  Significant  Breach  Response  Experience 
(benchmark  21.5  million  population) 

o Tier  2 - Contractors  with  Experience  in  Providing  Data  Breach  Response 
Services 

b.  Issues  relating  to  the  esablishment  of  the  IPS  BPA  included: 

• Established  tiers  to  provide  insurance  not  only  for  the  secondary  OPM  breach 
secured  by  NAVSEA  but  all  future  events. 

• Ensuring  that  adequate  industry  participation  would  occur 

• Requirements  were  established  for  a process  to  review  and  evaluate  System 
Security  Plans  including  setting  up  a collaborative  evaluation  team  made  up  of 
DHS,  GSA  and  FTC. 


2.  SCOPE  AND  EFFECT: 


a.  Impact  on  GSA’s  Customers: 

• This  BPA  allows  ordering  agencies  to  obtain  any  required  identity  protection 
services  regardless  of  whether  partial  (eg.  credit  monitoring)  or  complete  identity 
theft  services  that  include  credit  monitoring,  identity  monitoring,  restoration  and 
insurance. 

• Allows  for  two  tiers  to  cover  both  small  and  large  breach  events. 

• Provides  the  ordering  agencies  a consistent  and  detailed  contracting  vehicle  to 
secure  quality  Identity  protection  services. 


b.  Impact  on  the  Private  Sector  and  State  & Local  Governments: 

• Due  to  the  intricate  requirements  of  elements  such  as  system  security  plans,  call 
centers,  dispostion  process  and  restoration  it  was  learned  early  on  that  under  the 
Professional  Serivces  Schedule,  in  which  this  BPA  was  placed  against,  there 
were  no  firms  who  could  provide  the  entire  scope  indepenendently.  The  three 
firms  who  received  an  award  each  had  established  teaming  arrangements  with 
other  Schedule  contract  holders. 


3.  ACTION(S)  PLANNED  OR  REQUIRED: 

Due  to  the  everchanging  requirements  associated  with  both  cyber  security  and  identity  theft 
services,  GSA  FAS  has  determined  the  need  to  establish  a special  item  number  (SIN)  that  will 
support  identity  protection  services.  By  doing  so,  it  will  allow  the  ordering  agnecies  the  ability  to 
secure  task  orders  or  establish  BPAs  that  meet  their  specific  event.  For  instance  if  viewed  as 
minor,  an  agency  may  only  require  credit  monitoring  as  versus  an  actual  known  breach  where 
the  total  solution  offered  by  this  SIN  would  be  utilized. 

o A SIN  is  in  draft  form  and  in  process  of  internal  review.  This  SIN  (520-20) 
covers  the  same  requirements  as  those  cited  within  the  BPA.  Once 
approved,  it  will  be  vetted  through  customer  agencies  including  the 
preceding  collaborative  team  used  to  establish  the  BPA  followed  by 
collaboration  with  industry.  Once  complete  action  will  be  taken  to  solicit 
these  services  followed  by  closure  of  the  BPA 

4.  KEY  STAKEHOLDER  INTEREST: 

Government  - Acquisition: 

• Program  Directors 

• Project  Managers 

• Contracing  Personnel  (contract  specialist  and  officers) 

Government  - Executive  Level: 

• Senior  Procurement  Executives 

• Federal  Privacy  Council 

• GSA,  OPM,  DHS  security  teams 


Customer  Agencies  include  but  are  not  limited  to:: 

• Army 

• Navy 

• Air  Force 

• Dept  of  State 

• Dept  of  Treasury 

• Dept  of  Justice 

• Dept  of  T ransportation 

• Dept  of  Veterans  Affairs 

• Dept  of  Homeland  Security 

• Dept  of  Education 

• Dept  of  Health  and  Human  Services 

• NASA 

• USAID 

• SBA 

Industry  and  Industry  Associations  include  but  are  not  limited  to: 

• Existing  Schedule  contract  holders 

• Potential  industry  partners 

• Coalition  for  Government  Procurement 

• Professional  Services  Council 

• ACt/IAC. 


5.  FISCAL  YEAR  2017/2018  BUDGET  IMPACT: 

None  known  at  this  time 


